etcd 集群提供k8s服务使用

#!/bin/bash
etcd1=192.168.0.10
etcd2=192.168.0.20
etcd3=192.168.0.30
################create ssl private environment
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
###配置证书
cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat << EOF | tee ca-csr.json
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
##生成证书

cat << EOF | tee server-csr.json
{
    "CN": "etcd",
    "hosts": [
    "127.0.0.1",
    "${etcd1}",
    "${etcd2}",
    "${etcd3}"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

 

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server

#####启动etcd 的参数需要修改pem的路径

echo "   

etcd -name infra0 -initial-advertise-peer-urls http://${etcd1}:2380 \
  -cert-file=/etc/etcd/ssl/server.pem \
  -key-file=/etc/etcd/ssl/server-key.pem \
  -trusted-ca-file=/etc/etcd/ssl/ca.pem \
  -peer-cert-file=/etc/etcd/ssl/server.pem \
  -peer-key-file=/etc/etcd/ssl/server-key.pem \
  -peer-trusted-ca-file=/etc/etcd/ssl/ca.pem  \
  -listen-peer-urls http://${etcd1}:2380 \
  -initial-cluster-token etcd-cluster-1 \
  -initial-cluster infra0=http://${etcd1}:2380,infra1=http://${ectd2}:2380,infra2=http://${etcd3}:2380 \
  -initial-cluster-state new

 

etcd -name infra1 -initial-advertise-peer-urls http://${etcd2}:2380 \
  -cert-file=/etc/etcd/ssl/server.pem \
  -key-file=/etc/etcd/ssl/server-key.pem \
  -trusted-ca-file=/etc/etcd/ssl/ca.pem \
  -peer-cert-file=/etc/etcd/ssl/server.pem \
  -peer-key-file=/etc/etcd/ssl/server-key.pem \
  -peer-trusted-ca-file=/etc/etcd/ssl/ca.pem  \
  -listen-peer-urls http://${etcd2}:2380 \
  -initial-cluster-token etcd-cluster-1 \
  -initial-cluster infra0=http://${etcd1}:2380,infra1=http://${etcd2}:2380,infra2=http://${etcd3}:2380 \
  -initial-cluster-state new

 

etcd -name infra2 -initial-advertise-peer-urls http://${etcd3}:2380 \
  -cert-file=/etc/etcd/ssl/server.pem \
  -key-file=/etc/etcd/ssl/server-key.pem \
  -trusted-ca-file=/etc/etcd/ssl/ca.pem \
  -peer-cert-file=/etc/etcd/ssl/server.pem \
  -peer-key-file=/etc/etcd/ssl/server-key.pem \
  -peer-trusted-ca-file=/etc/etcd/ssl/ca.pem  \
  -listen-peer-urls http://${etcd3}:2380 \
  -initial-cluster-token etcd-cluster-1 \
  -initial-cluster infra0=http://${etcd1}:2380,infra1=http://${etcd2}:2380,infra2=http://${etcd3}:2380 \
  -initial-cluster-state new
"

github 摘要

etcd takes several certificate related configuration options, either through command-line flags or environment variables:

Client-to-server communication:

--cert-file=<path>: Certificate used for SSL/TLS connections to etcd. When this option is set, advertise-client-urls can use the HTTPS schema.

--key-file=<path>: Key for the certificate. Must be unencrypted.

--client-cert-auth: When this is set etcd will check all incoming HTTPS requests for a client certificate signed by the trusted CA, requests that don't supply a valid client certificate will fail. If authentication is enabled, the certificate provides credentials for the user name given by the Common Name field.

--trusted-ca-file=<path>: Trusted certificate authority.

--auto-tls: Use automatically generated self-signed certificates for TLS connections with clients.

Peer (server-to-server / cluster) communication:

The peer options work the same way as the client-to-server options:

--peer-cert-file=<path>: Certificate used for SSL/TLS connections between peers. This will be used both for listening on the peer address as well as sending requests to other peers.

--peer-key-file=<path>: Key for the certificate. Must be unencrypted.

--peer-client-cert-auth: When set, etcd will check all incoming peer requests from the cluster for valid client certificates signed by the supplied CA.

--peer-trusted-ca-file=<path>: Trusted certificate authority.

--peer-auto-tls: Use automatically generated self-signed certificates for TLS connections between peers.

If either a client-to-server or peer certificate is supplied the key must also be set. All of these configuration options are also available through the environment variables, ETCD_CA_FILE, ETCD_PEER_CA_FILE and so on.

--cipher-suites: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+.

 

上面代码直接复制  自动生成证书  输出内容为etcd 的启动脚本  需要修改pem证书的存储路径，生成证书为当前目录也就是启动程序加载当前目录的脚本